-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: google drive permissions sync #484
Conversation
ea7e807
to
b971333
Compare
Codecov Report
@@ Coverage Diff @@
## master #484 +/- ##
==========================================
- Coverage 94.83% 93.66% -1.18%
==========================================
Files 44 45 +1
Lines 2403 2495 +92
Branches 303 320 +17
==========================================
+ Hits 2279 2337 +58
- Misses 80 110 +30
- Partials 44 48 +4
Continue to review full report at Codecov.
|
319d1df
to
becd800
Compare
becd800
to
ccee0bd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs a bit more testing.
def refresh_drive_permissions(self): | ||
""" | ||
Refresh Google Drive permissions based on user role. If no GCP client | ||
is provided, this function is a no-op. | ||
""" | ||
|
||
if self.gcp is None: | ||
logging.debug("GCP not enabled, skipping drive permissions") | ||
return | ||
|
||
all_teams: List[Team] = self.facade.query(Team) | ||
for t in all_teams: | ||
if len(t.folder) == 0: | ||
continue | ||
|
||
emails: List[str] = [] | ||
for m in t.members: | ||
if len(m.email) > 0: | ||
emails.append(m.email) | ||
|
||
if len(emails) > 0: | ||
logging.info("Synchronizing permissions for " | ||
+ f"{t.github_team_name}'s folder ({t.folder}) " | ||
+ f"to {emails}") | ||
self.gcp.set_drive_permissions( | ||
t.folder, t.github_team_name, emails) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You may want to run a more specialized version of this function, specific to the team that called with a --folder
, to sync permissions for that team's team members only.
Something similar to what happens when we do /rocket user edit --github
and we do an invite for that github user to join our organization.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think it's necessary at the moment? Happy to implement this in a follow-up instead :)
e5aae9a
to
a4ac605
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay so here's the thing. /rocket team refresh
takes around 20 seconds to execute (last I checked). The more members we have in Launch Pad, the longer it takes, O(n)
. We'll still need ways for users to receive the permission sharing automatically, whether if it is a user just adding their emails, or a team adding a folder ID into the system.
I am very adamant about not using /rocket team refresh
unless we really need to because ... there are lots of side effects that I don't know about, that may be disruptive. For example, today I found out that it would forcefully add a user back into the organization if the user was in ddb but was already out of the org (one possibility would be if the user ID was still in a team in ddb).
Will have to implement this as a follow-up. For now I'm approving this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay so here's the thing. /rocket team refresh
takes around 20 seconds to execute (last I checked). The more members we have in Launch Pad, the longer it takes, O(n)
. We'll still need ways for users to receive the permission sharing automatically, whether if it is a user just adding their emails, or a team adding a folder ID into the system.
I am very adamant about not using /rocket team refresh
unless we really need to because ... there are lots of side effects that I don't know about, that may be disruptive. For example, today I found out that it would forcefully add a user back into the organization if the user was in ddb but was already out of the org (one possibility would be if the user ID was still in a team in ddb).
Will have to implement this as a follow-up. For now I'm approving this.
@cheukyin699 agreed and noted! I've created #490 to cover that |
Pull Request
Description
Give a brief description of your changes:
Enables an optional step to
team refresh
, enabled by providingGCP_SERVICE_ACCOUNT_CREDENTIALS
, to synchronize team folders by sharing each team's configuredfolder
to all emails provided by that team's members.The current intended use case for this is only for the top-level folders indicated in https://docs.ubclaunchpad.com/handbook/tools/drive - i.e I will be assigning the following folders:
all
:Projects
leads
:UBC Launch Pad
design
:Design
strategy
:Strategy
As such, no care has been taken for certain edge cases (ie "what if I don't want to unshare with anyone not on a rocket team?") - for this iteration of this feature, I am going to keep it simple.
The goal is to remove one of the last steps that leads have to do from onboarding - see ubclaunchpad/LP-website#175 . It currently requires a refresh - see #490, #495
Testing
If testing this change requires extra setup, please document it here:
Simple unit test provided.
Working on a clicky-click test as well.Update - verified this works!
Ticket(s)
Closes #284
(Create a copy of that line for each Github Issue affected,
and replace "Affects" with "Closes" if merging this will close the relevant ticket.)